If you have a passphrase on your private key (as one should), would that
not be considered something you know as well?

Advertising

On Thu, Dec 1, 2016 at 10:34 AM, Robert Hajime Lanning <lann...@lanning.cc>
wrote:
> I have only implemented RSA, but I will be doing a bit of research on this
> topic shortly.
>
> For my current job we'll be needing MFA for a secure environment, in the
> next couple of months. They won't be able to afford RSA.
>
> But I do need to note that PKI key+Duo is not MFA. (Something you have +
> Something you have)
>
> MFA is Multi Factor Authentication and is defined as: (pick 2+ separate
> items)
>
> 1) Something you know (password/PIN not written down)
> 2) Something you have (device that can not be copied, RSA fob, PKI
> hardware token/smart card...)
> 3) Something you are (biometrics)
>
> RSA is fob + PIN.
>
> My current plan is a PKI hardware token that requires a PIN/passcode to
> unlock the token to use the private key contained within. The key pair is
> generated on the token and the private key cannot be copied off the token.
>
> Ssh and openvpn clients support PKCS#11 for PKI hardware.
>
>
> On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net> wrote:
>>
>> I'm an end-user of Duo at the day job and relatively happy with it. Was
>> not involved in the setup, though. OTOH I remember someone in #lopsa saying
>> they had problems with them and had been unhappy. Can't remember who or why
>> offhand, hopefully they'll chime in on this thread.
>>
>> I will note that the most common problem with Duo that I've personally
>> seen is when folks have it configured to give them a phone call instead of
>> running the app and getting a push notification. In our setup, to access
>> the windows jumpbox we start an RDP session, and after normal user auth, it
>> then triggers a Duo challenge. But the phone call setting seems to get
>> delayed enough that the RDP session fails with a network policy error.
>> People adjusting their user config with push notifications works better. I
>> have not looked into seeing if you can just blanket disable that o! ption,
>> but it seems a bit odd that they offer that as a service when it doesn't
>> work; then again, we may have a more aggressive timeout policy on the Duo
>> portion than is recommended. Again, wasn't involved in the setup as it
>> predated me, so I'm not sure.
>>
>> I know it also works with Linux boxes and that's on my list to check out,
>> just haven't gotten to it yet. We'd likely only enable it on nodes with
>> public IPs that have SSH listening/allowed, so it has been low on my
>> priority list.
>>
>> Duo is also apparently free depending on how many users/devices you have,
>> whereas last time I heard about the RSA setup, it was very expensive. I'm
>> planning on adding Duo support to my personal AWS Linux nodes for SSH (so
>> key+MFA auth, no passwords allowed).
>>
>> On W! ed, Nov 30, 2016 at 10:31 AM, Kyle Stewart <
>> _kylestew...@outlook.com> wrote:
>>
>>> Hi all, hope this email finds everyone well. We're looking into setting
>>> up two-factor authentication at my company for a 2017 project and I'm
>>> in the "Let's get the lay of the land" phase. Right now it seems like Duo
>>> is making big headway in this market, but I've heard good things about RSA
>>> as well. I'd love to get some first-hand feedback from people who have used
>>> these types of 2FA solutions who aren't sales people :)
>>>
>>>
>>> Overall I get what 2FA/MFA does, but I'm blurry on how it gets
>>> implemented - at face value I'm very interested in Duo so if anyone has
>>> experience with Duo and setting it up (preferably alongside Palo Alto's and
>>> GlobalProtect) that'd be fantastic.
>>>
>>>
>>> Thanks in advance!
>>>
>>>
>>> _____________________________
>>> Kyle Stewart
>>>
>>> _______________________________________________
>>> Discuss mailing list
>>> Discuss@lists.lopsa.org
>>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>>> This list provided by the League of Professional System Administrators
>>> http://lopsa.org/
>>>
>>>
>> ------------------------------
>>
>> Discuss mailing list
>> Discuss@lists.lopsa.org
>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>> This list provided by the League of Professional System Administrators
>> http://lopsa.org/
>>
>
>
> --
> Mr. Flibble
> King of the Potato People
> http://www.linkedin.com/in/RobertLanning
>
> _______________________________________________
> Discuss mailing list
> Discuss@lists.lopsa.org
> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
> This list provided by the League of Professional System Administrators
> http://lopsa.org/
>
>